Sign In
  • Question

    Is there a clear reference that states at what point in a program lifecycle we are required to seek IATO, ATO? How will this change if at all under RMF? Is there a lifecycle chart that clearly shows when a program must seek IATO, ATO? Will something like this be published for IT aquisition programs under RMF?


    Answer

    Step 1 of the RMF process is the point at which you will seek an ATO or IATO.  This should occur in the pre systems acquisition phase before milestone A.  Step 5 of the RMF process is the authorize phase and the system should be authorized before Milestone C.  While the intent was to begin the DIACAP process earlier than what you laid out above, it was not always the case with DIACAP.  The terminology related to "seeking an ATO" and getting one may be a little unclear, but the bottom line is that when the system is fielded, it must have an ATO or IATO.  DoDI 5000.02 states the following:
    Cybersecurity RMF steps and activities, as described in DoD Instruction 8510.01, should be initiated as early as possible and fully integrated into the DoD acquisition process including requirements management, systems engineering, and test and evaluation.

    Open full Question Details